---
sidebar_label: Okta
description: >-
  The '/identity/mfa/method/okta' endpoint focuses on managing Okta MFA behaviors in OpenBao.
---

## Configure okta MFA method

This endpoint defines an MFA method of type Okta.

| Method | Path                            |
| :----- | :------------------------------ |
| `POST` | `/identity/mfa/method/okta/:method_id` |

### Parameters

- `method_id` `(string: "")` - Optional UUID to specify if updating an existing method.

- `method_name` `(string)` - The unique name identifier for this MFA method.

- `username_format` `(string)` - A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. For example, `"{{identity.entity.name}}@example.com"`. If blank, the Entity's Name field is used as-is.

- `org_name` `(string: <required>)` - Name of the organization to be used in the Okta API.

- `api_token` `(string: <required>)` - Okta API key.

- `base_url` `(string)` - If set, will be used as the base domain for API requests. Examples are okta.com, oktapreview.com, and okta-emea.com.

- `primary_email` `(bool: false)` - If set, the username will only match the primary email for the account.

### Sample payload

```json
{
  "username_format": "{{identity.entity.aliases.auth_userpass_1793464a.name}}",
  "org_name": "dev-262778",
  "api_token": "0081u7KrReNkzmABZJAP2oDyIXccveqx9vIOEyCZDC"
}
```

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/identity/mfa/method/okta
```

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/identity/mfa/method/okta/1db034b5-81f1-4a2b-8c2b-0f51ed0bd9fc
```

## Read okta MFA method

This endpoint queries the MFA configuration of Okta type for a given method
name.

| Method | Path                            |
| :----- | :------------------------------ |
| `GET`  | `/identity/mfa/method/okta/:id` |

### Parameters

- `id` `(string: <required>)` – UUID of the MFA method.

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request GET \
    http://127.0.0.1:8200/v1/identity/mfa/method/okta/1db034b5-81f1-4a2b-8c2b-0f51ed0bd9fc
```

### Sample response

```json
{
  "data": {
    "api_token": "0081u7KrReNkzmABZJAP2oDyIXccveqx9vIOEyCZDC",
    "id": "1db034b5-81f1-4a2b-8c2b-0f51ed0bd9fc",
    "name": "my_okta",
    "org_name": "dev-262778",
    "type": "okta",
    "username_format": "{{identity.entity.aliases.auth_userpass_1793464a.name}}"
  }
}
```

## Delete okta MFA method

This endpoint deletes a Okta MFA method. The MFA methods can only be deleted if they're not currently in use
by a [login enforcement](/api-docs/secret/identity/mfa/login-enforcement).

| Method   | Path                            |
| :------- | :------------------------------ |
| `DELETE` | `/identity/mfa/method/okta/:id` |

### Parameters

- `id` `(string: <required>)` - UUID of the MFA method.

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/identity/mfa/method/okta/1db034b5-81f1-4a2b-8c2b-0f51ed0bd9fc
```

## List okta MFA methods

This endpoint lists Okta MFA methods that are visible.

| Method | Path                        |
| :----- | :-------------------------- |
| `LIST` | `/identity/mfa/method/okta` |

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    http://127.0.0.1:8200/v1/identity/mfa/method/okta
```

### Sample response

```json
{
  "data": {
    "keys": [
      "1db034b5-81f1-4a2b-8c2b-0f51ed0bd9fc"
    ]
  }
}
```
